Explore topic-wise InterviewSolutions in .

ASA NGFW Services(formerly ASA CX) re-imagines the FIREWALL, delivering context-aware SECURITY that empowers enterprises to manage APPLICATIONS, devices and the evolving global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by LEVERAGING local network intelligence via Cisco AnyConnect and TrustSec, and global threat information via Cisco’s Security Intelligence Operation.

ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering context-aware security that empowers enterprises to manage applications, devices and the evolving global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by leveraging local network intelligence via Cisco AnyConnect and TrustSec, and global threat information via Cisco’s Security Intelligence Operation.

VPN in IPV4 or IPv6 DEPENDS on the configuration for the VPN SITE to site or client (REMOTE access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.

VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.

If the query is about CSM, and you WOULD like to see the configurations within the CSM interface there are two WAYS to do this.

1. From the Device View, right-click on the device and select "Preview Configuration..."
2. In the top bar, Go to "MANAGE > Configuration ARCHIVE..." You can then see a history of previous configurations pushed for each device managed by CSM.

If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this.

CISCO ASA CLUSTERING doe snot SUPPORT any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP.

Cisco ASA Clustering doe snot support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP.

As of today, inter context COMMUNICATION has to go out of a PHYSICAL interface and COME in again (same or different interface). Essentially TROMBONE of traffic needs to happen out and in to the firewall.

As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall.

FWSM doesn't SUPPORT PACKET TRACER COMMAND.

FWSM doesn't support packet tracer command.

ASA clustering is distributed architecture for HIGH Availability and is compatible with next gen and current SWITCHING INFRASTRUCTURE.

ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure.

YES, stateful failover is AVAILABLE for IPSEC and SSL connections.

Yes, stateful failover is available for IPSec and SSL connections.

Site to site VPN is already supported in CLUSTERING. REMOTE access VPN is not supported as of today and is not on roadmap as I KNOW.

Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know.

As FAR as I KNOW it's not on the ROADMAP for NEXT few RELEASE.

As far as I know it's not on the roadmap for next few release.

In CSM if you would like to see the configurations there are two ways to do this.

1. From the Device View, right-click on the device and select "Preview Configuration..."
2. In the top bar, Go to "MANAGE > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM

CSM BASED backups are MANUAL and are not AUTOMATED.

In CSM if you would like to see the configurations there are two ways to do this.

CSM based backups are manual and are not automated.

CSM is primarily meant for CONFIGURING and MANAGING the firewalls. If you wish to collect netflow DATA it's better to look at Cisco LMS/Prime SOLUTIONS.

CSM is primarily meant for configuring and managing the firewalls. If you wish to collect netflow data it's better to look at Cisco LMS/Prime solutions.

Yes, ASA clustering always has a backup node (OWNER) for every FLOW through the cluster so, if the node through which traffic is PASSING is down, the next owner will PROCESS the n+1 traffic (if PREVIOUS node was processing nth packet.

Yes, ASA clustering always has a backup node (owner) for every flow through the cluster so, if the node through which traffic is passing is down, the next owner will process the n+1 traffic (if previous node was processing nth packet.

Addresses configured in pool is given to firewalls in CLUSTER, you can SIMPLY PUSH the traffic any given address assigned to specific FIREWALL in cluster.

Addresses configured in pool is given to firewalls in cluster, you can simply push the traffic any given address assigned to specific firewall in cluster.

Yes ASA can be used for WEB FILTERING and it has been POSSIBLE for many YEARS. Now, you also have ScanSafe

Yes ASA can be used for Web Filtering and it has been possible for many years. Now, you also have ScanSafe

YES it WORKS with FAILOVER ASA.

Yes it works with failover ASA.

 It doesn't WORK.

 It doesn't work.

Basic Heruristics are there, 0day ATTACKS are identified (now better by SacanSafe an improvement over LOCAL engine)

Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an improvement over local engine)

CLUSTERING is analogous to failover not the same. The VPN sessions will be REPLICATED across the CLUSTER.

Clustering is analogous to failover not the same. The VPN sessions will be replicated across the cluster.

No ASA doesn't SUPPORT SERVER LOAD BALANCING.

No ASA doesn't support Server Load Balancing.

Please GET in touch with Cisco TAC for in-depth REVIEW & troubleshooting.

Please get in touch with Cisco TAC for in-depth review & troubleshooting.

There is no VIP, all FIREWALLS have there own FIREWALL, we NEED load-balancing from outside the CLUSTER.

There is no VIP, all firewalls have there own firewall, we need load-balancing from outside the cluster.

VIRTUALLY not, you can have as MANY POLICIES but can be BROUGHT down if COMBINED with Trustsec.

Virtually not, you can have as many policies but can be brought down if combined with Trustsec.

It will be TAKEN CARE by the next priority FIREWALL in the cluster.

It will be taken care by the next priority firewall in the cluster.

Virtually not, you can have as MANY POLICIES but can be brought down if combined with Trustsec. Still same:

Multiple CONTEXT mode does not support the following features:

• RIP
• OSPFV3. (OSPFv2 is supported.)
• Multicast routing
• Threat Detection
• Unified Communications
• QoS
• Remote access VPN. (Site-to-site VPN is supported.)

Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Still same:

Multiple context mode does not support the following features:

Depends on the VERSION you are USING. More DETAILED info can be obtained from Cisco TAC as its specific to AnyConnect.

Depends on the version you are using. More detailed info can be obtained from Cisco TAC as its specific to AnyConnect.

No, there's no such MANDATES.

No, there's no such mandates.

Only the THROUGHPUT will drop on OVERALL basis but no impact on TRAFFIC. 

Total Throughput = N x Single node throughput x SCALING Factor.

Only the throughput will drop on overall basis but no impact on traffic. 

Total Throughput = N x Single node throughput x Scaling Factor.

In that CASE you are EXPANDING your CLUSTER, there is no restriction but I do not see any USECASE of this.

In that case you are expanding your cluster, there is no restriction but I do not see any usecase of this.

It has to be same MODEL with same HARDWARE configuration like MEMORY etc.

It has to be same model with same hardware configuration like memory etc.

This can be done through VPNS (SITE to site) but NEVER recommended.Such setup in production environment is not recommended.

This can be done through VPNs (Site to site) but never recommended.Such setup in production environment is not recommended.

You won't NEED a context in CLUSTER MODE but you can have MULTI contexts.

You won't need a context in cluster mode but you can have multi contexts.

YES, a scansafe SUBSCRIPTION will be REQUIRED.

Yes, a scansafe subscription will be required.

You can use ASA 1000V for virtualized ENVIRONMENT and that's what it means. Again, if term VIRTUAL is used, it can be a context as MANY times these TWO terms are used inter-changeably.

You can use ASA 1000V for virtualized environment and that's what it means. Again, if term virtual is used, it can be a context as many times these two terms are used inter-changeably.

No, we can't MIX DIFFERENT ASA models. And clustering is only SUPPORTED with 5580, 5585 or 5585X.

No, we can't mix different asa models. And clustering is only supported with 5580, 5585 or 5585X.

CSM is built to be a SINGLE point of management and configuration for ASA and other securiyt PRODUCTS. The FUNCTION of Syslogging is to be OFFLOAD to external server.

CSM is built to be a single point of management and configuration for ASA and other securiyt products. The function of Syslogging is to be offload to external server.

When you are saying Block, I ASSUME you are saying traffic GOING through the FIREWALL, then the answer to that would be YES.

When you are saying Block, I assume you are saying traffic going through the firewall, then the answer to that would be Yes.

When DIFFERENT TYPE of traffic GOING through the firewall, i.e HTTP, FTP, etc.

When different type of traffic going through the firewall, i.e HTTP, FTP, etc.

All 8 UNITS will be ACTIVE in a CLUSTER

All 8 Units will be active in a cluster

Cisco ANOMALY detection learns the NORMAL behavior on your network and alerts you when it SEES anomalous activities in your network. Cisco anomaly PROTECTION helps protect you against new threats even before SIGNATURES are available.

Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available.

Presently it is not POSSIBLE to load balance TRAFFIC between TWO ISP links on an ASA.

Presently it is not possible to load balance traffic between two ISP links on an ASA.

SGT is PART of TrustSec.

SGT is part of TrustSec.

If using ASA CLUSTERING then vpn will not work. If non-cluster environment you can USE L2L vpn and can co-exist in standalone VERSION.

If using ASA clustering then vpn will not work. If non-cluster environment you can use L2L vpn and can co-exist in standalone version.

Sub second FAILOVER as the failover can happen in under a second. Both the INTERFACE and unit polling TIMES can be configured in milliseconds. Be CAREFUL setting the failover settings too low though as you may have a quick COMMUNICATION loss due to congestion.

Sub second failover as the failover can happen in under a second. Both the interface and unit polling times can be configured in milliseconds. Be careful setting the failover settings too low though as you may have a quick communication loss due to congestion.

MODE SINGLE

mode single

SHOW NAT DETAIL

show nat detail

same-security-traffic PERMIT inter-interface.

same-security-traffic permit inter-interface.

Stateful Firewall maintain the CONNECTION table, which keeps the TRACK of the ACTIVE connection. Its Maintain the dynamic connection table that continuously updated with state of each connection. Stateful Firewall FIRST inspect session table instead of security policy.

Stateful Firewall maintain the connection table, which keeps the track of the active connection. Its Maintain the dynamic connection table that continuously updated with state of each connection. Stateful Firewall first inspect session table instead of security policy.

Transparent firewall ACT line a layer 2 device, Transparent firewall can be easily DEPLOY on existing network.Transparent Firewall allow layer 3 traffic from HIGHER security level to lower security level without an access LIST.

Transparent firewall act line a layer 2 device, Transparent firewall can be easily deploy on existing network.Transparent Firewall allow layer 3 traffic from higher security level to lower security level without an access list.

 0.

 0.